Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security - Dispatch to /j_spring_security_check

Tags:

java

post

spring

servlets

spring-security

I have spring security in place and login via login.jsp works perfectly fine.

Now, I have to automatically get the user logged in based on the URL (similar to Single Sign On). I basically have a path parameter in the URL which is basically an encrypted code, I process this code to do an auto login.

I am modifying my LoginController to check if I have a valid path param using which I get my username & password, using this username & password I am doing "forward:/j_spring_security_check?j_username="+username+"&j_password="+password

This directs me to login.jsp with following error Your login attempt was not successful, try again. Caused : Authentication method not supported: GET

I have also tried with "redirect:/j_spring_security_check?j_username="+username+"&j_password="+password but with no help.

Call to /j_spring_security_check is a POST but forward: & redirect: is doing a GET, so how can I dispatch to /j_spring_security_check as POST from my LoginController?

Thanks

like image 304
Ayaz Pasha Avatar asked Mar 21 '13 10:03

Ayaz Pasha

2 Answers

/j_spring_security_check URL is mapped to UsernamePasswordAuthenticationFilter to serve the requests.

In UsernamePasswordAuthenticationFilter, by default, the postOnly is set to true.

The following change in spring-security.xml which sets postOnly to false worked. 

<bean id="authenticationFilter" 
      class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
      p:postOnly="false" />

Also, in web.xml, the following configuration is required:

<filter-mapping> <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>
like image 180
Ayaz Pasha Avatar answered Oct 04 '22 02:10

Ayaz Pasha

You could bypass the check by using a request wrapper which returns "POST" instead of "GET" for getMethod.

However, the check is there for a reason. It is generally considered bad practice to send credentials as URL parameters. Even if you are using an encrypted parameter, it is still technically equivalent to sending unencrypted authentication credentials since anyone who steals it can use it to authenticate.

like image 31
Shaun the Sheep Avatar answered Oct 04 '22 01:10

Shaun the Sheep
Sign in to Comment

Related questions

How to get Maven 3.0.4 to use Java7?
Is redundant code acceptable if it improves readability?
Get DateTime dayOfWeek/dayOfMonth as String
Reading ArrayList as object from file?
Perform click on Web page element before parsing in Java
float vs double (in Java)
Scrollable Composite - auto resize - swt
Which data structure to use for keeping a list unique with insertion order intact
How to write "for x in list" in Java?
How to use "dateRestrict" parameter in Custom Search API
How to use Java reflection to check a given class is implements Iterable<? extends T>, for any given T
Utf-8 encoding for Android
What is the purpose of javax.servlet.FilterChain? [duplicate]
Rules to implement compare method
What is the point of making a class generic?
Store and retrieve images in Postgresql using Java [closed]
Difference between Infinity and NaN (Not a number)
How to load Spring Application Context
What is a validationQuery with respect to databases and JNDI?
Min Heapify method- Min heap algorithm

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!